Some notes and reflections on the Terminator threat
Throughout the week, a tool called «Terminator» has been discussed in the media, which would allow attackers to disable antivirus, EDR, and XDR platforms.
Terminator utilizes a well-known technique called «Bring Your Own Vulnerable Driver» (BYOVD). This technique abuses legitimate drivers that, due to vulnerabilities, can be interacted with by malicious programs, forcing them to execute malicious code in Ring 0 (Kernel). This approach is particularly useful for attacking systems with robust user-level defenses.
The BYOVD technique is based on the premise that, although modern operating systems have improved their security to prevent user-level privilege escalation, they are still vulnerable to threats that come from the kernel level. Attackers can exploit insecure or outdated device drivers to gain access to the kernel and, therefore, full control over the system.
How does Terminator work?
Although the source code of the binary that abuses the driver is not currently known, there is evidence that the following drivers are abused:
These drivers are perfectly legitimate and signed, so their installation on the system is possible if the attacker has:
- Local Administrator permission
- Ability to bypass UAC
In other words, in order to launch this attack and disable the antivirus, EDR, or XDR, the attacker would have already needed to perform a series of activities that would present multiple opportunities for detection.
Should I be worried about Terminator?
It doesn’t really seem to bring anything new that hasn’t been done for years, so there’s no need to panic.
It would be concerning if a tool using this same technique was private and selectively used. However, Terminator is a tool for sale (or at least promoted for sale), and therefore highly likely to quickly «burn out» the vulnerable drivers it uses. Although as of today the drivers abused by Terminator have not yet been massively detected, it is only a matter of (very) little time before they are detected both during disk writing and driver loading.
Additionally, Microsoft has controls that would be useful for blocking vulnerable drivers:
Therefore, if properly implemented and updated, it would be an effective control to block known vulnerable drivers and prevent this type of attack.
Can I effectively protect myself from BYOVD attacks that exploit vulnerabilities in unknown drivers?
Yes, although it is very unlikely that antivirus, EDR, or XDR solutions will detect it out of the box or have specific rules to block the loading of the vulnerable driver. Remember that this type of attack executes malicious code in Ring 0, and therefore, it would have sufficient privileges to bypass those security controls.
This is where proactive Threat Hunting services gain special relevance since an attack of this nature has numerous opportunities for detection before code execution in Ring 0. The Threat Hunting service offered by BlackArrow is constantly analyzing the telemetry generated by the EDR or XDR to detect and disrupt the attack chain before the incident escalates to more difficultly manageable proportions.
For more information, do not hesitate to contact us: